Skip to content

Commit 9e2ad3a

Browse files
author
Martin Linkhorst
committed
leverage new IAM properties on CLM's cluster object
1 parent b3a1f3c commit 9e2ad3a

File tree

1 file changed

+4
-5
lines changed

1 file changed

+4
-5
lines changed

cluster/manifests/deployment-service/01-config.yaml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,16 +12,17 @@ data:
1212
scalyr-team-token: "{{.Cluster.ConfigItems.scalyr_team_token}}"
1313
create-namespaces: "true"
1414
aws-available: "true"
15-
worker-role-arn: "arn:aws:iam::{{accountID .Cluster.InfrastructureAccount}}:role/{{.Cluster.LocalID}}-worker"
15+
worker-role-arn: "{{.Cluster.WorkerRoleARN}}"
16+
oidc-provider-arn: "{{.Cluster.OIDCProviderARN}}"
17+
oidc-subject-key: "{{.Cluster.OIDCSubjectKey}}"
18+
iam-role-trust-relationship-template: '{{.Cluster.IAMRoleTrustRelationshipTemplate}}'
1619
{{- if eq .Cluster.Provider "zalando-eks" }}
1720
{{ $oidc_issuer_aws := printf "%s.%s" .Cluster.ConfigItems.eks_legacy_cluster_local_id .Values.hosted_zone }}
1821
{{ $oidc_issuer_eks := index (split .Cluster.ConfigItems.eks_oidc_issuer_url "//") 1 }}
1922
{{ $oidc_provider_arn_aws := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_aws }}
2023
{{ $oidc_provider_arn_eks := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_eks }}
2124
{{ $oidc_subject_key_aws := printf "%s:sub" $oidc_issuer_aws }}
2225
{{ $oidc_subject_key_eks := printf "%s:sub" $oidc_issuer_eks }}
23-
oidc-provider-arn: "{{$oidc_provider_arn_eks}}"
24-
oidc-subject-key: "{{$oidc_subject_key_eks}}"
2526
{{- if ne .Cluster.ConfigItems.eks_legacy_cluster_local_id "" }}
2627
oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_aws}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_aws}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}},{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_eks}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_eks}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
2728
{{- else }}
@@ -34,8 +35,6 @@ data:
3435
{{ $oidc_provider_arn_eks := printf "arn:aws:iam::%s:oidc-provider/%s" (accountID .Cluster.InfrastructureAccount) $oidc_issuer_eks }}
3536
{{ $oidc_subject_key_aws := printf "%s:sub" $oidc_issuer_aws }}
3637
{{ $oidc_subject_key_eks := printf "%s:sub" $oidc_issuer_eks }}
37-
oidc-provider-arn: "{{$oidc_provider_arn_aws}}"
38-
oidc-subject-key: "{{$oidc_subject_key_aws}}"
3938
{{- if ne $oidc_issuer_eks "" }}
4039
oidc-trust-relationship-template: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_aws}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_aws}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}},{"Effect":"Allow","Principal":{"Federated":"{{$oidc_provider_arn_eks}}"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"{{$oidc_subject_key_eks}}":"system:serviceaccount:${SERVICE_ACCOUNT}"}}}]}'
4140
{{- else }}

0 commit comments

Comments
 (0)